ACH Debate: 'Good Faith' and Reasonable Security

Last week, Comerica Bank opted to close its case with former customer Experi-Metal Inc., despite proclamations the bank made last month to appeal a U.S. District Court's ruling that called for reimbursement of funds lost after EMI's account was taken over by cyberfraudsters in 2009. EMI sued Comerica for damages totaling $560,000 -- a loss EMI claimed resulted from Comerica's approval of fraudulent wire transfers exceeding $1.9 million.

How much influence the new FFIEC authentication guidance is having on judges and their rulings is hard to gauge, but there's no doubt courts are looking to the update.

In June, a Michigan court's ruling favored EMI, saying Comerica should have detected and stopped the fraudulent transfers. "There are a number of considerations relevant to whether Comerica acted in good faith with respect to this incident," the court said. "A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier. Comerica fails to present evidence from which this Court could find otherwise."

When the judgment was handed down, Comerica said it had acted in "good faith" and planned to appeal. "Comerica's security token technology is commercially reasonable and in compliance with current Federal Financial Institutions Examination Council guidelines," said bank spokeswoman Kathleen Pitton. "We presented evidence that disputes the allegations made against us and believe that, following a review of the evidence, the appellate court will agree and reverse this decision."

This past week, however, Pitton says the bank opted to resolve the matter, rather than go through with an appeal.

David Navetta, an attorney who specializes in IT security and privacy, says Comerica's decision could be telling. "It's always hard to tell what the decision-making process is for a bank or a company in a case like this; but the [FFIEC] supplement does discuss some of the behavioral analytics and fraud detection - issues that are addressed in the EMI case," he says. "The actual breach occurred a couple of years ago, before the supplement was issued. But because there are references to some of the behavioral stuff, it may have impacted their decision to not appeal." [See Full Text of Final Guidance.]

How much influence the new FFIEC guidance is having on judges and their rulings is hard to gauge, but there's no doubt courts are looking to the guidance for, well, guidance. And attorneys for victims of ACH fraud are taking that FFIEC ball and running.

The discussion surrounding good faith and reasonable security, in light of the new FFIEC guidance, is picking up steam.

Last month, another commercial victim of corporate account takeover, California-based Village View Escrow Inc., filed a complaint against Professional Business Bank for the $465,000 Village View lost after hackers infiltrated its online bank account. In the complaint, Village View explicitly mentions good faith, reasonable security and the industry standard for multifactor authentication outlined in the FFIEC's new guidance. [See New ACH Fraud Suit Filed.]

In another ACH-fraud case, Jim Payne of

Choice Escrow, says Choice is amending its petition against BankcorpSouth to expand on the definition of the good faith standard. "We are in the process of writing an amended petition to allow us to use the Mississippi statute (Bancorp is from Mississippi), and that statute mirrors Michigan in the area of 'good faith,'" Payne says. According to the statute, "good faith" means "honesty in fact and in observance of reasonable commercial standards of fair dealing," he says.

Commercial customers are optimistic, but only time will tell how the courts ultimately land on the FFIEC and good-faith arguments. But, as Navetta points out, we are getting closer to seeing legal precedent.

"The fact that we now have a little more case law, which means more guidance to litigants and defendants, the arguments that are successful are going to be adopted," he says. "As time goes on, you'll get a body of law and have more guidance from the courts. ... Eventually, you get agreement."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.